Feature #5007
openCertificateBundle fetcher
0%
Description
Implement CertificateBundle fetcher API, as specified in #2766-30.
This issue includes these types:
CertBundleFetcher
Updated by Junxiao Shi about 5 years ago
- Blocked by Feature #5004: CertificateBundle encoding and decoding added
Updated by Alex Afanasyev over 4 years ago
- Tags changed from CertificateBundle to CertificateBundle, security
Updated by Jeremy Clark over 4 years ago
Could you give an example of how an application would call the CertificateBundleFetcher?
Specifically, I don't understand this:
Upon receiving a certificate request, this fetcher retrieves a certificate bundle registered by
addBundle() if matched, or deriveCertBundleName(certName) otherwise.
What does it mean for it to receive a certificate request?
This fetcher hooks onto the segment in-order arrival signal and passes the segment to an internal
CertBundleDecoder, and inserts decoded certificates into the CertificateStorage.
For this part, does it just insert the certificates into the unverified cache?
Updated by Jeremy Clark over 4 years ago
Am I correct in my understanding that the CertifcateBundleFetcher uses the SegmentFetcher internally to fetch the bundle? If so, how does the application pass a reference to the validator?
Updated by Alex Afanasyev over 4 years ago
You may be misunderstanding this issue or I didn't correctly understand your question. CertBundleFetcher would be similar to CertificateFetcherFromNetwork, just instead of fetching a single cert, it would try to fetch the bundle. But overall, it would use the same interface.
Updated by Jeremy Clark over 4 years ago
Per the design posted here: (https://redmine.named-data.net/issues/2766#note-30)
Retrieval of a single certificate bundle should be handled by
SegmentFetcher
.
This fetcher hooks onto the segment in-order arrival signal and passes the segment to an internal
CertBundleDecoder
, and inserts decoded certificates into theCertificateStorage
.
This is the reason I've written the Segementer
and added in-order mode to the SegmentFetcher
. Since a cert bundle may be made up of multiple segments, the SegmentFetcher is used here. My question is whether the SegmentFetcher exists internally and the API design is missing where the calling application can pass a reference to the Validator, or if it exists as I think it does and I'm just missing something about how it's constructed, or if I'm completely misunderstanding and the CertBundleFetcher does not use the SegementFetcher internally.
Updated by Alex Afanasyev over 4 years ago
The fetcher instance should be created and stored inside the ValidationState
instance (the one you get as a parameter inside the CertificateFetcher
interface). ValidationState supports TagHost
interface.
Actually, we already have CertificateBundleFetcher
that uses BundleNameTag
. If you need to preserve the instance of the fetcher, you either rename the tag and store both (name + fetcher) or create a new tag (I prefer having a single tag).
Updated by Jeremy Clark over 4 years ago
I see where I was misunderstanding before. But I'm still unsure how to create a SegementFetcher
instance inside the ValidationState
instance without some access to a Validator
reference necessary for the SegementFetcher
constructor.
Updated by Alex Afanasyev over 4 years ago
Ehm. This is not the place to do the validation, the job here is simply to fetch stuff. The certificate will be validated by the higher-level logic.
Updated by Jeremy Clark over 4 years ago
What do you suggest I do about the validator requirement for the SegmentFetcher
? https://github.com/named-data/ndn-cxx/blob/09236c2b8d6d39218d22cdd5dd8d9bf9e5a1f352/ndn-cxx/util/segment-fetcher.hpp#L161
Updated by Alex Afanasyev over 4 years ago
Use ValidatorNull, though yes, you still need to create and keep an instance of it in the tag.
Updated by Davide Pesavento over 3 years ago
- Target version changed from 0.8.0 to 0.9.0
Updated by Davide Pesavento 11 months ago
- Tags changed from security, CertificateBundle to CertificateBundle
- Assignee deleted (
Jeremy Clark) - Target version deleted (
0.9.0)
Updated by Davide Pesavento 11 months ago
- Blocks Task #3950: Use CertificateBundleFetcher instead of DirectFetcher added